- Date: 11 September 2015
- Author: Trevor
- Category: Exfiltration, Malware, Network Security, XFIL
- Comments: 0
Read a recent news article about a data breach and it will likely mention data exfiltration. It’s usually the last event of a string of seemingly preventable mishaps that result in a lot of people getting free credit reporting (or, as of late, uncomfortable conversations with your spouse). The exfiltration bit can usually be found right before a “I-told-you-so” quote from a vendor:
“OMG you guys, we all need to start dealing with these attacks! We can help, please Google us.” Capt. Obvious, Chief Quote Officer, Security Vendor, Inc.
But what exactly is data exfiltration and what solutions exist to prevent it? Exfiltration is a nebulous concept that doesn’t have it’s own Gartner Magic Quadrant. It’s also not something many organizations are focusing on. We find that the response to data exfiltration is to throw a bunch of different security technologies together – hoping that it covers the final stage of an attack. Organizations stitch together different security solutions and controls to prevent it: IDS/IPS, firewalls, DLP, endpoint agents, etc.
Then what does the industry do to test the racks of gear blinking away in the data center? A penetration test. Penetration testing serves is an important role within your security program but it ignores exfiltration testing, offering the customer a snapshot-in-time view of their security posture. This offers critical validation (or negation) of your security posture and is something every organization should be doing. However, historically the focus of penetration tests has been on the “tip of the iceberg”, from the outside in, and don’t take the overall environment and processes into account. It’s a very perimeter-intrusion-centric approach.
Organizations spend a lot of money on security. But does it work?
Ask yourself: “Do our penetration tests cover all layers of our security budget?”
Last week our CTO, Trevor Hawthorn, presented on “Safeguarding your network from Data Exfiltration attacks.“ During the talk, Trevor discussed recent data breaches, how attackers typically transmit data out of the victim’s network during a data breach and why victim organizations are usually unaware of data being exfiltrated.
Testing for data exfiltration is very important, as it is part of the final steps taken by an attacker and the last chance to prevent a breach.
We believe the symphony of exfiltration requires an orchestrated approach, which is exactly why we developed XFIL.
XFIL is a patented data exfiltration testing platform that simulates the final stages of an attack: lateral movement and data exfiltration out of your network. The platform can help an organization test and validate existing security controls, network visibility, and identify weaknesses that could be exploited to circumvent those controls. XFIL simulates 260+ methods that are used to sneak data out of your network.
During our webinars, we try to save a lot of time for Q&A as it’s often the most informative part of the talk. Below are answers to some great questions about XFIL that were asked by attendees, for those who were unable to attend.
Can we run XFIL from multiple networks? Yes, that is one of the intended use cases. Everyone has networks of differing levels of trust, so XFIL is meant to be run from those different networks and to test the layers of your defense.
What is a tactful way to address “we just had a pen test and they found nothing so are we certified and good to go?” (client has no IPS or SIEM so the findings are not accurate) You don’t want the absence of a really bad finding to be interpreted as a clean bill of health. Having a third party perform an assessment on your network/system/application is typically a time-based test that might not cover all the possible factors and situations. It is good that (at this particular moment) the test did not find any issues with your “fill in the blank” however you still need to ensure you have the appropriate levels of controls in place as well as the people, processes and visibility to protect it.
Do customers use this (XFIL) to test their MSSP? Absolutely, your Managed Security Service Provider is part of your overall “system” and security monitoring processes. It is always recommended to test and validate that all of the different components of your security program are working in an orchestrated manner.
Will organizations be allowed to use XFIL to test their third parties? The short answer is yes. Part of XFIL’s functionality helps you answer some of the difficult questions regarding your security, such as how porous is this network, what do the internal network controls look like, and how mature is the security program. Your third party vendors can be seen as an extension of your organization and if you have the contract language to do so, you could quickly understand the maturity of the security posture of the third party by running XFIL in their environment.
Does this help at all with PCI and/or gaining PCI compliance? PCI DSS (Requirement 1.2) requires firewall and router configurations to implement default deny. XFIL performs outbound port scanning that will identify allowed services for easy comparison with approved business requirements.
How do we go back and correlate alerts and events with what XFIL does? We have two answers for this question, how things work currently and what we’re planning to implement in the near future. Right now you can review the results of the XFIL assessment in the XFIL console as well as whatever log management/SIEM solution(s) you have in place. We hope to have an updated answer (or solution) such as a custom Splunk application to assist with correlation in a more efficient manner in the near future.
Can XFIL simulate malware indicators? Yes, there are several ways we currently do this today such as from a network standpoint beaconing out to known bad DNS names. As part of our product roadmap, we plan to build out various malware modules for clients where they can simulate recent malware indicators or command and control activities.
We appreciate all the questions and feedback from our webinar, if you have any additional thoughts and/or questions please feel free to send an email to the Stratum/XFIL team which can be reached via email@example.com or you can learn more about XFIL here: http://stratumsecurity.com/xfil/.
Slides from the webinar can be downloaded from here.